]> git.saurik.com Git - apple/security.git/blob - securityd/src/AuthorizationRule.h
Security-57337.40.85.tar.gz
[apple/security.git] / securityd / src / AuthorizationRule.h
1 /*
2 * Copyright (c) 2003-2007,2009-2010 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * AuthorizationRule.h
24 * Security
25 *
26 */
27
28 #ifndef _H_AUTHORIZATIONRULE
29 #define _H_AUTHORIZATIONRULE 1
30
31 #include <CoreFoundation/CoreFoundation.h>
32 #include <security_cdsa_utilities/AuthorizationData.h>
33 #include "authority.h"
34 #include "agentclient.h"
35
36 namespace Authorization
37 {
38
39 class Rule;
40
41 class RuleImpl : public RefCount
42 {
43 public:
44 RuleImpl();
45 RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
46
47 OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
48 AuthorizationFlags flags, CFAbsoluteTime now,
49 const CredentialSet *inCredentials, CredentialSet &credentials,
50 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
51
52 string name() const { return mRightName; }
53 bool extractPassword() const { return mExtractPassword; }
54
55 private:
56 // internal machinery
57
58 // evaluate credential for right
59 OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule,
60 const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
61 // evaluate user credential (authentication) for right
62 OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
63
64 OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
65 AuthItemSet &environmentToClient, AuthorizationFlags flags,
66 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
67 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
68
69 void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
70
71 // perform authorization based on running specified mechanisms (see evaluateMechanism)
72 OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
73
74 OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
75 AuthItemSet &environmentToClient, AuthorizationFlags flags,
76 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
77 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
78
79 OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const;
80
81 // find username hint based on session owner
82 OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const;
83
84 CredentialSet makeCredentials(const AuthorizationToken &auth) const;
85
86 map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
87 map<string,string> localizedButtons() const { return mLocalizedButtons; }
88
89
90 // parsed attributes
91 private:
92 enum Type
93 {
94 kDeny,
95 kAllow,
96 kUser,
97 kRuleDelegation,
98 kKofN,
99 kEvaluateMechanisms,
100 } mType;
101
102 string mRightName;
103 string mGroupName;
104 CFTimeInterval mMaxCredentialAge;
105 bool mShared;
106 bool mAllowRoot;
107 vector<string> mEvalDef;
108 bool mSessionOwner;
109 vector<Rule> mRuleDef;
110 uint32_t mKofN;
111 mutable uint32_t mTries;
112 bool mExtractPassword;
113 bool mAuthenticateUser;
114 map<string,string> mLocalizedPrompts;
115 map<string,string> mLocalizedButtons;
116
117 private:
118
119 class Attribute
120 {
121 public:
122 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
123 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
124 static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue);
125 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
126 static bool getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey);
127 };
128
129
130 // keys
131 static CFStringRef kUserGroupID;
132 static CFStringRef kTimeoutID;
133 static CFStringRef kSharedID;
134 static CFStringRef kAllowRootID;
135 static CFStringRef kMechanismsID;
136 static CFStringRef kSessionOwnerID;
137 static CFStringRef kKofNID;
138 static CFStringRef kPromptID;
139 static CFStringRef kButtonID;
140 static CFStringRef kTriesID;
141 static CFStringRef kExtractPasswordID;
142
143 static CFStringRef kRuleClassID;
144 static CFStringRef kRuleAllowID;
145 static CFStringRef kRuleDenyID;
146 static CFStringRef kRuleUserID;
147 static CFStringRef kRuleDelegateID;
148 static CFStringRef kRuleMechanismsID;
149 static CFStringRef kRuleAuthenticateUserID;
150 };
151
152 class Rule : public RefPointer<RuleImpl>
153 {
154 public:
155 Rule();
156 Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
157 };
158
159 }; /* namespace Authorization */
160
161 #endif /* ! _H_AUTHORIZATIONRULE */